Governance & Risk Management

Report: Russia Arrests Cybersecurity Official

Lead Kaspersky Lab Investigator Also Arrested as Part of Treason Investigation
Report: Russia Arrests Cybersecurity Official
The FSB headquarters at Lubyanka Square in Moscow. Photo: NVO (Flickr/CC)

Russian authorities have reportedly arrested a top computer security official at the Federal Security Service, known as the FSB, on charges of treason.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

Sergei Mikhailov, deputy chief at the FSB's Information Security Center - known as the CDC - has been accused of receiving money from "foreign organizations," Russian daily newspaper Kommersant reports, citing unnamed FSB sources. Mikhailov was reportedly arrested in December, and his friends have not been able to reach him since then, according to the report.

The CDC, aka Military Unit (Vch) 6482, is responsible for monitoring the Russian internet as well as investigating data leaks, although some security experts say it may also be used for offensive operations.

As part of the investigation, authorities also arrested Mikhailov's deputy, Dmitry Dokuchayev, in December. "Sergei Mikhailov and his deputy, Dmitry Dokuchayev, are accused of betraying their oath and working with the CIA," according to private Russian news agency Interfax.

Also arrested was Ruslan Stoyanov, who heads the computer incidents investigations team at Moscow-based Kaspersky Lab, and who has reportedly also served as a liaison between the company and Russian security services.

Citing unnamed sources, Kommersant reports that the investigation also centers on a private information security firm, which has not been named.

Kaspersky Lab Confirms Employee's Arrest

Kaspersky Lab has confirmed Stoyanov's arrest, but emphasized that the investigation focuses on Stoyanov as a private individual and has nothing to do with the company.

"The employee ... is under investigation for a period predating his employment at Kaspersky Lab," the company says in a statement. "We do not possess details of the investigation."

Kaspersky Lab says that the work of its computer incidents investigations team has continued despite Stoyanov's arrest.

According to Stoyanov's LinkedIn profile, he joined Kaspersky Lab in July 2012. Prior to that, he worked as deputy director at a firm called Indrik - from 2010 to 2012; as head of network security for internet access service provider RTComm.RU from 2006 to 2010; and was a major in the Ministry of Interior's Moscow cybercrime unit from 2000 to 2006.

Stoyanov apparently helped Kaspersky Lab liaise with Russian law enforcement agencies. In 2016, for example, Stoyanov described the investigation into the Lurk Trojan, which Kaspersky Lab discovered in 2011 (see Russian Police Bust Alleged Bank Malware Gang).

That investigation - led by Kaspersky Lab and Russia's largest bank, Sberbank - led to the arrest of about 50 suspected Russian hackers in mid-2016 by the FSB on charges that the Interior Ministry said related to the alleged theft of at least 1.7 billion rubles ($28.7 million) from accounts at multiple Russian banks. It was the largest arrest of alleged hackers to have ever taken place inside Russia.

Head of CDC May Be Dismissed

The report that Mikhailov and Stoyanov and were arrested in December follows a Jan. 13 report in Kommersant suggesting that Andrei Gerasimov, who has led the CDC since 2009, might soon be fired in relation to an ongoing investigation involving one of his deputies. The report cited only unnamed sources.

It's not clear if the treason charges arelegitimate. As Foreign Policy notes, "charges of corruption in Russia do not necessarily mean corruption was the cause of a dismissal."

No Direct Tie to Alleged US Election Hacking

What's also not clear is if Gerasimov's potential dismissal might relate to the 2016 U.S. presidential election. The U.S. intelligence community accused the Russian government of attempting to influence the election.

As part of that alleged campaign, Russia's military intelligence service, the GRU, provided WikiLeaks with thousands of hacked emails from the Democratic National Committee and others, including Hillary Clinton's campaign chairman, according to a report issued by the Office of the Director of National Intelligence and the Department of Homeland Security

"We assess with high confidence that the GRU relayed material it acquired from the DNC and senior Democratic officials to WikiLeaks," according to the ODNI and DHS report. "Moscow most likely chose WikiLeaks because of its self proclaimed reputation for authenticity."

The report named two hacking groups with alleged Russian ties: Fancy Bear, aka APT28, which is suspected of operating under the control of the GRU; and Cozy Bear, aka APT29, which is allegedly affiliated with the FSB.

Connected to Kompromat Reveal?

Gerasimov heads the FSB's internal cybersecurity team, however, which hasn't been directly blamed for participating in the alleged hacking campaign.

Instead, some Kremlin watchers are questioning whether Gerasimov might have been involved in an alleged FSB effort to gather "kompromat"- compromising materials - on U.S. President Donald Trump. Trump was briefed, shortly before becoming president, on a series of memos written by a former U.K. Western intelligence official, who said that the Russian government had amassed personal and financial information that could be used to blackmail Trump and that Trump's team has deep ties to the Russian government (see 'Explosive' Report Details Alleged Russia-Trump Team Ties).

The existence of any such kompromat or ties between Trump's advisers and Russia has not been validated or verified.

But the timing of Gerasimov's impending dismissal - according to news reports he was already set to retire soon - has some Kremlin watchers, including Dmitry Zaks, a reporter for Agence France-Press, questioning whether it's retaliation for the alleged Russian kompromat on Trump coming to light.

Likewise, it's not clear if Kaspersky Lab's Stoyanov, who is one of the country's top cybersecurity investigators, and who has actively worked to help put Russian hackers behind bars, might have clashed with the FSB or GRU. Security experts say Russian security services have long hired known criminals and turned a blind eye to their hacking activities, so long as they don't target Russia, and assist the government upon request (see Russian Cybercrime Rule No. 1: Don't Hack Russians).

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.